fix: 401 logout error #2
Conversation
✅ Deploy Preview for apiplayer ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 7
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| } | ||
|
|
||
| /** 登出所有设备 */ | ||
| @UseGuards(AuthGuard) |
There was a problem hiding this comment.
logout-all endpoint requires authentication but guard removed
High Severity
The logout-all endpoint had @UseGuards(AuthGuard) removed but still uses @ReqUser('id') to extract the user ID. Without the guard, request.user won't be populated by the authentication process, causing userId to be undefined. This results in destroyAllUserSessions(undefined), which creates a Redis key like user_sessions:undefined and returns 0 destroyed sessions instead of logging out all devices for the authenticated user. The endpoint completely fails to achieve its intended purpose.
| } | ||
|
|
||
| /** 用户登出 */ | ||
| @UseGuards(AuthGuard) |
There was a problem hiding this comment.
logout endpoint cannot access session without guard
Medium Severity
After removing @UseGuards(AuthGuard), the logout endpoint can no longer access the session ID because request.sessionId is only populated by the guard. Without the guard, request.sessionId is undefined, so the if (sessionId) check fails and authService.logout(sessionId) is never called. This means sessions remain in the database indefinitely when users logout, even though the cookie is cleared. The endpoint should extract the session ID directly from request.cookies.sid to maintain full logout functionality.
| const userStore = useUserStore() | ||
| userStore.logout() | ||
| toast.error('登录已过期,请重新登录') | ||
|
|
There was a problem hiding this comment.
Session expiration handling fails without navigation on error
Medium Severity
When a session expires, the interceptor now awaits userStore.logout() which handles both auth clearing and navigation internally. However, if the logout API call fails (network error, server down), the catch block in logout() silently swallows the error without calling clearAuth() or navigating. The old code called logout() without awaiting and handled navigation independently in the interceptor, guaranteeing the user would be redirected even if logout failed. Users now see "login expired" toast but remain stuck on the current page with stale auth state when logout fails.
when sid expires, the logout api return 401 status; but 401 status trigger logout api again...
Note
Fixes logout 401 loop and unifies client re-login flow.
@UseGuards(AuthGuard)fromPOST /auth/logoutandPOST /auth/logout-allso they can succeed when the session is expired; both now always clear the session cookie after attempting logout.401 SESSION_EXPIRED, show a toast once andawait userStore.logout(); removed inline router redirection logic.clearAuth();logout()now clears local auth state and redirects toLoginwith aredirectback to the current route.Written by Cursor Bugbot for commit 2fa1f4c. This will update automatically on new commits. Configure here.